This document describes how to configure secure wireless access using
Wireless LAN controllers, Microsoft Windows 2003 software and Cisco Secure
Access Control Server (ACS) 5.1 via Protected Extensible Authentication
Protocol (PEAP) with Microsoft Challenge Handshake Authentication Protocol
(MS-CHAP) version 2.
There is an assumption that the installer has knowledge of basic
Windows 2003 installation and Cisco Wireless LAN controller installation as
this document only covers the specific configurations to facilitate the
Before you begin, install the Microsoft Windows Server 2003 with SP1
operating system on each of the servers in the test lab and update all Service
Packs. Install the controllers and lightweight access points (LAPs) and ensure
that the latest software updates are configured.
Windows Server 2003 with SP1, Enterprise Edition, is used so that
auto-enrollment of user and workstation certificates for PEAP authentication
can be configured. Certificate auto-enrollment and autorenewal make it easier
to deploy certificates and improve security by automatically expiring and
The information in this document is based on these software and
Cisco 2106 or 5508 Series Controller that runs
Cisco 1142 Lightweight Access Point Protocol (LWAPP)
Windows 2003 Enterprise with Internet Information Server (IIS),
Certificate Authority (CA), DHCP, and Domain Name System (DNS)
Cisco 1121 Secure Access Control System Appliance (ACS)
Windows XP Professional with SP (and updated Service Packs) and
wireless network interface card (NIC) (with CCX v3 support) or third party
Cisco 3750 Switch
The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.
The primary purpose of this document is to provide you the step-by-step
procedure to implement the PEAP under Unified Wireless Networks with ACS 5.1
and the Windows 2003 Enterprise server. The main emphasis is on auto-enrollment
of the client so that the client auto-enrolls and takes the certificate from
Open the Active Directory Domains and Trusts
snap-in from the Administrative Tools folder
(Start > Programs >
Administrative Tools > Active Directory Domains and
Trusts), and then right-click the domain computer
Click Raise Domain Functional Level, and then
select Windows Server 2003 on the Raise Domain Functional
Install Dynamic Host Configuration Protocol (DHCP)
as a Networking Service component by using Add or
Remove Programs in the Control Panel.
Open the DHCP snap-in from the
Administrative Tools folder (Start >
Programs > Administrative Tools >
DHCP), and then highlight the DHCP server,
Click Action, and then click
Authorize in order to authorize the DHCP
In the console tree, right-click CA.demo.local,
and then click New Scope.
On the Welcome page of the New Scope wizard, click
On the Scope Name page, type CorpNet in the Name
Click Next and fill in these parameters:
Start IP address - 10.0.20.1
End IP address - 10.0.20.200
Length - 24
Subnet mask -
Click Next and enter
10.0.20.1 for the Start IP address and
10.0.20.100 for the End IP address to be excluded. Then
click Next. This reserves the IP addresses in the range from
10.0.20.1 to 10.0.20.100. These reserve IP addresses are not allotted by the
On the Lease Duration page, click
On the Configure DHCP Options page, choose Yes, I want to
configure these options now and click
On the Router (Default Gateway) page add the default router address
of 10.0.20.1 and click
On the Domain Name and DNS Servers page, type
demo.local in the Parent domain field, type
10.0.10.10 in the IP address field, and then click
Add and click Next.
On the WINS Servers page, click
On the Activate Scope page, choose Yes, I want to activate
this scope now and click Next.
When you finish with the New Scope Wizard page, click
Note: IIS must be installed before you install Certificate Services and the
user should be part of the Enterprise Admin OU.
In Control Panel, open Add or Remove Programs, and
then click Add/Remove Windows Components.
In the Windows Components Wizard page, choose Certificate Services,
and then click Next.
On the CA Type page, choose Enterprise root CA and click
In the CA Identifying Information page, type
democa in the Common name for this CA box. You can also
enter the other optional details. Then click Next and accept
the defaults on the Certificate Database Settings page.
Click Next. Upon completion of the installation,
Click OK after you read the warning message about
In the Active Directory Users and Computers console tree, click the
Computers folder and right-click on the computer for which you
want to assign wireless access. This example shows the procedure with computer
Client which you added in step 7. Click
Properties, and then go to the Dial-in
In the Remote Access Permission, choose Allow
access and click OK.
In the details pane of Active Directory Users and Computers,
double-click on the group
Go to the Members tab and click
In the Select Users, Contacts, Computers, or Groups dialog box,
type the name of the users that you want to add to the group. This example
shows how to add the user wirelessuser to the group. Click
In the Multiple Names Found dialog box, click OK.
The wirelessuser user account is added to the wirelessusers
Click OK in order to save changes to the
Repeat this procedure to add more users to the
Note: The assumption is that the controller has basic connectivity to the
network and IP reachability to the management interface is successful.
Browse to https://10.0.1.10 in order to login to
Log in with the default user admin and default
Create a new Interface for VLAN mapping under the
In the Interface name field, enter Employee.
(This field can be any value you like.)
In the VLAN ID field, enter 20. (This field
can be any VLAN that is carried in the network.)
Configure the information as this Interfaces > Edit window
Interface IP Address -
Netmask - 255.255.255.0
Gateway - 10.0.10.1
Primary DHCP -
Click the WLANs tab.
Choose Create New, and click
Enter a Profile Name, and, in the WLAN SSID field, enter
Choose an ID for the WLAN, and click
Configure the information for this WLAN when the WLANs > Edit
Note: WPAv2 is the chosen Layer 2 encryption method for this lab. In
order to allow WPA with TKIP-MIC clients to associate to this SSID, you can
also check the WPA compatibility mode and Allow WPA2
TKIP Clients boxes or those clients that do not support the 802.11i
AES encryption method.
On the WLANs > Edit screen, click the General
Make sure that the Status box is checked for
Enabled and the appropriate Interface
(employee) is chosen. Also, make sure to check the Enabled
check box for Broadcast SSID.
Click the Security tab.
Under the Layer 2 sub-menu, check WPA + WPA2 for
Layer 2 Security. For WPA2 encryption, check AES + TKIP in
order to allow TKIP clients.
Choose 802.1x as the authentication
Skip the Layer 3 sub-menu as it is not required. Once the RADIUS
server is configured, the appropriate server can be chosen from the
The QoS and Advanced tabs can be
left at default unless any special configurations are
Click the Security menu to add the RADIUS
Under the RADIUS sub-menu, click Authentication.
Then, click New.
Add the RADIUS server IP address (10.0.10.20) which is the ACS
server configured earlier.
Make sure that the shared key matches the AAA client configured in
the ACS server. Make sure that the Network User box is checked
and click Apply.
The basic configuration is now complete and you can begin to test
PEAP with MS-CHAP version 2 requires certificates on the ACS servers
but not on the wireless clients. Auto enrollment of computer certificates for
the ACS servers can be used to simplify a deployment.
In order to configure CA server to provide auto-enrollment for computer
and user certificates, complete the procedures in this section.
Note: Microsoft has changed the Web Server template with the release of the
Windows 2003 Enterprise CA so that keys are no longer exportable and the option
is grayed out. There are no other certificate templates supplied with
certificate services that are for server authentication and give the ability to
mark keys as exportable that are available in the drop-down so you have to
create a new template that does so.
Note: Windows 2000 allows for exportable keys and these procedures do not
need to be followed if you use Windows 2000.
In the Details pane of the Certificate Templates snap-in, click the
Web Server template.
On the Action menu, click Duplicate
In the Template display name field, enter
Go to the Request Handling tab and check
Allow private key to be exported. Also ensure that
Signature and Encryption is selected from the Purpose
Choose Requests must use one of the following CSPs
and check Microsoft Base Cryptographic Provider v1.0. Uncheck
any other CSPs that are checked, and click
Go to the Subject Name tab, choose
Supply in the request, and click OK.
Go to the Security tab, highlight the
Domain Admins Group, and make sure that the
Enroll option is checked under Allowed.
Note: If you choose to build from this Active Directory information
only check the User principal name (UPN) and uncheck the
Include email name in subject name and E-mail name because an
e-mail name was not entered for the Wireless User account in the Active
Directory Users and Computers snap-in. If you do not disable these two options,
auto-enrollment attempts to use e-mail, which results in an auto-enrollment
There are additional security measures if needed to prevent
certificates from being automatically pushed out. These can be found under the
Issuance Requirements tab. This is not discussed further in this document.
Click OK in order to save the template and move
onto issuing this template from the Certificate Authority
In our example, CLIENT is a computer that runs Windows XP Professional
with SP that acts as a wireless client and obtains access to Intranet resources
through the wireless AP. Complete the procedures in this section in order to
configure CLIENT as a wireless client.
Disconnect the CLIENT computer from the Intranet network
Restart the CLIENT computer, and then log on using the local
Install the wireless network adapter.
Note: Do not install the manufacturer's configuration software for the
wireless adapter. Install the wireless network adapter drivers using the Add
Hardware Wizard. Also, when prompted, provide the CD provided by the
manufacturer or a disk with updated drivers for use with Windows XP
Professional with SP2.
Log off and then log in using the WirelessUser
account in the demo.local domain.
Choose Start > Control Panel,
double-click Network Connections, and then right-click
Wireless Network Connection.
Click Properties, go to the Wireless
Networks tab, and make sure the Use Windows to configure my
wireless network settings is checked.
Under the Association tab, enter Employee in
the Network name (SSID) field.
Choose WPA for the Network Authentication, and
make sure that Data encryption is set to
Click the Authentication tab.
Validate that EAP type is configured to use Protected EAP
(PEAP). If it is not, choose it from the drop-down
If you want the machine to be authenticated prior to login (which
allows login scripts or group policy pushes to be applied), check
Authenticate as computer when computer information is
As PEAP involves authentication of the Server by the client, ensure
that the Validate server certificate is checked. Also, make
sure the CA that issued the ACS certificate is checked under the Trusted Root
Certification Authorities menu.
Choose Secured password (EAP-MSCHAP v2) under
Authentication Method as it is used for inner
Make sure the Enable Fast Reconnect check box is
checked. Then, click OK three times.
Right-click the wireless network connection icon in systray, and
then click View Available Wireless
Click the Employee wireless network, and then click
Connect. The wireless client will show
Connected if the connection is
After authentication is successful, check the TCP/IP configuration
for the wireless adapter by using Network Connections. It should have an
address range of 10.0.20.100-10.0.20.200 from the DHCP scope or the scope
created for the CorpNet wireless clients.
In order to test functionality, open up a browser and browse to
http://10.0.10.10 (or the IP address of the CA
When your client fails PEAP authentication with an ACS server, check if
you find the NAS duplicated authentication
attempt error message in the Failed attempts
option under the Report and Activity menu of the ACS.
You might receive this error message when Microsoft Windows XP SP2 is
installed on the client machine and Windows XP SP2 authenticates against a
third party server other than a Microsoft IAS server. In particular, Cisco
RADIUS server (ACS) uses a different method to calculate the Extensible
Authentication Protocol Type:Length:Value format (EAP-TLV) ID than the method
Windows XP uses. Microsoft has identified this as a defect in the XP SP2
For a Hotfix, contact Microsoft and refer to the article
authentication is not successful when you connect to a third-party RADIUS
. The underlying issue is that on the client side, with windows
utility, the Fast Reconnect option is disabled for PEAP by default. However,
this option is enabled by default on the server side (ACS). In order to resolve
this issue, uncheck the Fast Reconnect option on the ACS server (under Global
System Options). Alternatively, you can enable the Fast Reconnect option on the
client side to resolve the issue.
Perorm these steps in order to enable Fast Reconnect on the client that
runs Windows XP using Windows Utility:
Go to Start > Settings >
Double-click the Network Connections
Right-click the Wireless Network Connection icon,
and then click Properties.
Click the Wireless Networks
Choose the Use Windows to configure my wireless network
settings option in order to enable windows to configure the client
If you have already configured an SSID, choose the SSID and click
Properties. If not, click New in order to add
a new WLAN.
Enter the SSID under the Association tab. Make sure that Network
Authentication is Open and Data Encryption is set to
Choose the Enable IEEE 802.1x authentication for this
Choose PEAP as the EAP Type, and click
Choose the Enable Fast Reconnect option at the
bottom of the page.